From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 12:06:05 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v4.18.12~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0510e49ec1435c22f82338f3b9dde5d496e7b11a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alarmtimer-prevent-overflow-for-relative-nanosleep.patch alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch alsa-snd-aoa-add-of_node_put-in-error-path.patch arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch audit-fix-extended-comparison-of-gid-egid.patch crypto-skcipher-fix-wstringop-truncation-warnings.patch drivers-tty-add-error-handling-for-pcmcia_loop_config.patch hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch media-soc_camera-ov772x-correct-setting-of-banding-filter.patch media-tm6000-add-error-handling-for-dvb_register_adapter.patch module-exclude-shn_undef-symbols-from-kallsyms-api.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch s390-extmem-fix-gcc-8-stringop-overflow-warning.patch scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch scsi-ibmvscsi-improve-strings-handling.patch scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch staging-android-ashmem-fix-mmap-size-validation.patch tsl2550-fix-lux1_input-error-in-low-light.patch usb-serial-kobil_sct-fix-modem-status-error-handling.patch usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch uwb-hwa-rc-fix-memory-leak-at-probe.patch wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch x86-tsc-add-missing-header-to-tsc_msr.c.patch --- diff --git a/queue-3.18/alarmtimer-prevent-overflow-for-relative-nanosleep.patch b/queue-3.18/alarmtimer-prevent-overflow-for-relative-nanosleep.patch new file mode 100644 index 00000000000..d84c1f441fe --- /dev/null +++ b/queue-3.18/alarmtimer-prevent-overflow-for-relative-nanosleep.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Thomas Gleixner +Date: Mon, 2 Jul 2018 09:34:29 +0200 +Subject: alarmtimer: Prevent overflow for relative nanosleep + +From: Thomas Gleixner + +[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ] + +Air Icy reported: + + UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7 + signed integer overflow: + 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int' + Call Trace: + alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811 + __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline] + __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline] + __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213 + do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 + +alarm_timer_nsleep() uses ktime_add() to add the current time and the +relative expiry value. ktime_add() has no sanity checks so the addition +can overflow when the relative timeout is large enough. + +Use ktime_add_safe() which has the necessary sanity checks in place and +limits the result to the valid range. + +Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers") +Reported-by: Team OWL337 +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -776,7 +776,8 @@ static int alarm_timer_nsleep(const cloc + /* Convert (if necessary) to absolute time */ + if (flags != TIMER_ABSTIME) { + ktime_t now = alarm_bases[type].gettime(); +- exp = ktime_add(now, exp); ++ ++ exp = ktime_add_safe(now, exp); + } + + if (alarmtimer_do_nsleep(&alarm, exp)) diff --git a/queue-3.18/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch b/queue-3.18/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch new file mode 100644 index 00000000000..06e9f4d2670 --- /dev/null +++ b/queue-3.18/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Kai-Heng Feng +Date: Thu, 28 Jun 2018 15:28:24 +0800 +Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge + +From: Kai-Heng Feng + +[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ] + +This patch can make audio controller in AMD Raven Ridge gets runtime +suspended to D3, to save ~1W power when it's not in use. + +Cc: Vijendar Mukunda +Signed-off-by: Kai-Heng Feng +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2094,7 +2094,8 @@ static const struct pci_device_id azx_id + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, + /* AMD Raven */ + { PCI_DEVICE(0x1022, 0x15e3), +- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | ++ AZX_DCAPS_PM_RUNTIME }, + /* ATI HDMI */ + { PCI_DEVICE(0x1002, 0x0002), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, diff --git a/queue-3.18/alsa-snd-aoa-add-of_node_put-in-error-path.patch b/queue-3.18/alsa-snd-aoa-add-of_node_put-in-error-path.patch new file mode 100644 index 00000000000..ee19a55fb9e --- /dev/null +++ b/queue-3.18/alsa-snd-aoa-add-of_node_put-in-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Nicholas Mc Guire +Date: Fri, 29 Jun 2018 19:07:42 +0200 +Subject: ALSA: snd-aoa: add of_node_put() in error path + +From: Nicholas Mc Guire + +[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ] + + Both calls to of_find_node_by_name() and of_get_next_child() return a +node pointer with refcount incremented thus it must be explicidly +decremented here after the last usage. As we are assured to have a +refcounted np either from the initial +of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np) +in the while loop if we reached the error code path below, an +x of_node_put(np) is needed. + +Signed-off-by: Nicholas Mc Guire +Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/aoa/core/gpio-feature.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/aoa/core/gpio-feature.c ++++ b/sound/aoa/core/gpio-feature.c +@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char + } + + reg = of_get_property(np, "reg", NULL); +- if (!reg) ++ if (!reg) { ++ of_node_put(np); + return NULL; ++ } + + *gpioptr = *reg; + diff --git a/queue-3.18/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch b/queue-3.18/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch new file mode 100644 index 00000000000..6eeb64ea55c --- /dev/null +++ b/queue-3.18/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Ethan Tuttle +Date: Tue, 19 Jun 2018 21:31:08 -0700 +Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c + +From: Ethan Tuttle + +[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ] + +With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to +detect buffer overflows. If src or dest is declared as a char, attempts to +copy more than byte will result in a fortify_panic(). + +Address this problem in mvebu_setup_boot_addr_wa() by declaring +mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove +a couple addressof operators to avoid "arithmetic on pointer to an +incomplete type" compiler error. + +See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays, +not single characters") for a similar fix. + +Fixes "detected buffer overflow in memcpy" error during init on some mvebu +systems (armada-370-xp, armada-375): + +(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4) +(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204) +(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8) +(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254) +(kernel_init_freeable) from (kernel_init+0x8/0x114) +(kernel_init) from (ret_from_fork+0x14/0x2c) + +Signed-off-by: Ethan Tuttle +Tested-by: Ethan Tuttle +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-mvebu/pmsu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-mvebu/pmsu.c ++++ b/arch/arm/mach-mvebu/pmsu.c +@@ -117,8 +117,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw + PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu)); + } + +-extern unsigned char mvebu_boot_wa_start; +-extern unsigned char mvebu_boot_wa_end; ++extern unsigned char mvebu_boot_wa_start[]; ++extern unsigned char mvebu_boot_wa_end[]; + + /* + * This function sets up the boot address workaround needed for SMP +@@ -131,7 +131,7 @@ int mvebu_setup_boot_addr_wa(unsigned in + phys_addr_t resume_addr_reg) + { + void __iomem *sram_virt_base; +- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start; ++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start; + + mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE); + mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute, diff --git a/queue-3.18/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch b/queue-3.18/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch new file mode 100644 index 00000000000..c201624ee68 --- /dev/null +++ b/queue-3.18/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Liam Girdwood +Date: Thu, 14 Jun 2018 20:26:42 +0100 +Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs + +From: Liam Girdwood + +[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ] + +Sometime a component or topology may configure a DAI widget with no +private data leading to a dev_dbg() dereferencne of this data. + +Fix this to check for non NULL private data and let users know if widget +is missing DAI. + +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -3400,6 +3400,13 @@ int snd_soc_dapm_link_dai_widgets(struct + continue; + } + ++ /* let users know there is no DAI to link */ ++ if (!dai_w->priv) { ++ dev_dbg(card->dev, "dai widget %s has no DAI\n", ++ dai_w->name); ++ continue; ++ } ++ + dai = dai_w->priv; + + /* ...find all widgets with the same stream and link them */ diff --git a/queue-3.18/audit-fix-extended-comparison-of-gid-egid.patch b/queue-3.18/audit-fix-extended-comparison-of-gid-egid.patch new file mode 100644 index 00000000000..dba50a59475 --- /dev/null +++ b/queue-3.18/audit-fix-extended-comparison-of-gid-egid.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: "Ondrej Mosnáček" +Date: Tue, 5 Jun 2018 11:00:10 +0200 +Subject: audit: Fix extended comparison of GID/EGID + +From: "Ondrej Mosnáček" + +[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ] + +The audit_filter_rules() function in auditsc.c used the in_[e]group_p() +functions to check GID/EGID match, but these functions use the current +task's credentials, while the comparison should use the credentials of +the task given to audit_filter_rules() as a parameter (tsk). + +Note that we can use group_search(cred->group_info, ...) as a +replacement for both in_group_p and in_egroup_p as these functions only +compare the parameter to cred->fsgid/egid and then call group_search. + +In fact, the usage of in_group_p was even more incorrect: it compares to +cred->fsgid (which is usually equal to cred->egid) and not cred->gid. + +GitHub issue: +https://github.com/linux-audit/audit-kernel/issues/82 + +Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -484,20 +484,20 @@ static int audit_filter_rules(struct tas + result = audit_gid_comparator(cred->gid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_group_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_group_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_EGID: + result = audit_gid_comparator(cred->egid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_egroup_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_egroup_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_SGID: diff --git a/queue-3.18/crypto-skcipher-fix-wstringop-truncation-warnings.patch b/queue-3.18/crypto-skcipher-fix-wstringop-truncation-warnings.patch new file mode 100644 index 00000000000..2693d344a9a --- /dev/null +++ b/queue-3.18/crypto-skcipher-fix-wstringop-truncation-warnings.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Stafford Horne +Date: Mon, 25 Jun 2018 21:45:37 +0900 +Subject: crypto: skcipher - Fix -Wstringop-truncation warnings + +From: Stafford Horne + +[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ] + +As of GCC 9.0.0 the build is reporting warnings like: + + crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’: + crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(rblkcipher.geniv)); + ~~~~~~~~~~~~~~~~~~~~~~~~~ + +This means the strnycpy might create a non null terminated string. Fix this by +explicitly performing '\0' termination. + +Cc: Greg Kroah-Hartman +Cc: Arnd Bergmann +Cc: Max Filippov +Cc: Eric Biggers +Cc: Nick Desaulniers +Signed-off-by: Stafford Horne +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ablkcipher.c | 2 ++ + crypto/blkcipher.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -382,6 +382,7 @@ static int crypto_ablkcipher_report(stru + strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +@@ -463,6 +464,7 @@ static int crypto_givcipher_report(struc + strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -514,6 +514,7 @@ static int crypto_blkcipher_report(struc + strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; diff --git a/queue-3.18/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch b/queue-3.18/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch new file mode 100644 index 00000000000..d1a79825151 --- /dev/null +++ b/queue-3.18/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 12:36:25 +0800 +Subject: drivers/tty: add error handling for pcmcia_loop_config + +From: Zhouyang Jia + +[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ] + +When pcmcia_loop_config fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling pcmcia_loop_config. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/serial_cs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -629,8 +629,10 @@ static int serial_config(struct pcmcia_d + (link->has_func_id) && + (link->socket->pcmcia_pfc == 0) && + ((link->func_id == CISTPL_FUNCID_MULTI) || +- (link->func_id == CISTPL_FUNCID_SERIAL))) +- pcmcia_loop_config(link, serial_check_for_multi, info); ++ (link->func_id == CISTPL_FUNCID_SERIAL))) { ++ if (pcmcia_loop_config(link, serial_check_for_multi, info)) ++ goto failed; ++ } + + /* + * Apply any multi-port quirk. diff --git a/queue-3.18/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch b/queue-3.18/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch new file mode 100644 index 00000000000..9c5dd52ff73 --- /dev/null +++ b/queue-3.18/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Zhouyang Jia +Date: Thu, 14 Jun 2018 21:37:17 +0800 +Subject: HID: hid-ntrig: add error handling for sysfs_create_group + +From: Zhouyang Jia + +[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ] + +When sysfs_create_group fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling sysfs_create_group. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ntrig.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -953,6 +953,8 @@ static int ntrig_probe(struct hid_device + + ret = sysfs_create_group(&hdev->dev.kobj, + &ntrig_attribute_group); ++ if (ret) ++ hid_err(hdev, "cannot create sysfs group\n"); + + return 0; + err_free: diff --git a/queue-3.18/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch b/queue-3.18/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch new file mode 100644 index 00000000000..5041302dc15 --- /dev/null +++ b/queue-3.18/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Sylwester Nawrocki +Date: Tue, 15 May 2018 05:21:45 -0400 +Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() + +From: Sylwester Nawrocki + +[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ] + +This patch fixes potential NULL pointer dereference as indicated +by the following static checker warning: + +drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane() +error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'. + +Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") + +Reported-by: Dan Carpenter +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c +@@ -389,12 +389,17 @@ static void __isp_video_try_fmt(struct f + struct v4l2_pix_format_mplane *pixm, + const struct fimc_fmt **fmt) + { +- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ const struct fimc_fmt *__fmt; ++ ++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ ++ if (fmt) ++ *fmt = __fmt; + + pixm->colorspace = V4L2_COLORSPACE_SRGB; + pixm->field = V4L2_FIELD_NONE; +- pixm->num_planes = (*fmt)->memplanes; +- pixm->pixelformat = (*fmt)->fourcc; ++ pixm->num_planes = __fmt->memplanes; ++ pixm->pixelformat = __fmt->fourcc; + /* + * TODO: double check with the docmentation these width/height + * constraints are correct. diff --git a/queue-3.18/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch b/queue-3.18/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch new file mode 100644 index 00000000000..e13fc83b0df --- /dev/null +++ b/queue-3.18/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:01 -0400 +Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power + +From: Akinobu Mita + +[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ] + +When the subdevice doesn't provide s_power core ops callback, the +v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice +doesn't have the special handling for its power saving mode, the s_power +isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be +ignored. + +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Acked-by: Sylwester Nawrocki +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s3c-camif/camif-capture.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif + + if (camif->sensor.power_count == !on) + err = v4l2_subdev_call(sensor->sd, core, s_power, on); ++ if (err == -ENOIOCTLCMD) ++ err = 0; + if (!err) + sensor->power_count += on ? 1 : -1; + diff --git a/queue-3.18/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch b/queue-3.18/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch new file mode 100644 index 00000000000..b6104365ff0 --- /dev/null +++ b/queue-3.18/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:26 -0400 +Subject: media: soc_camera: ov772x: correct setting of banding filter + +From: Akinobu Mita + +[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ] + +The banding filter ON/OFF is controlled via bit 5 of COM8 register. It +is attempted to be enabled in ov772x_set_params() by the following line. + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); + +But this unexpectedly results disabling the banding filter, because the +mask and set bits are exclusive. + +On the other hand, ov772x_s_ctrl() correctly sets the bit by: + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + +The same fix was already applied to non-soc_camera version of ov772x +driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting +of banding filter") + +Cc: Jacopo Mondi +Cc: Laurent Pinchart +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/soc_camera/ov772x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/soc_camera/ov772x.c ++++ b/drivers/media/i2c/soc_camera/ov772x.c +@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77 + * set COM8 + */ + if (priv->band_filter) { +- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); ++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + if (!ret) + ret = ov772x_mask_set(client, BDBASE, + 0xff, 256 - priv->band_filter); diff --git a/queue-3.18/media-tm6000-add-error-handling-for-dvb_register_adapter.patch b/queue-3.18/media-tm6000-add-error-handling-for-dvb_register_adapter.patch new file mode 100644 index 00000000000..1993078bf91 --- /dev/null +++ b/queue-3.18/media-tm6000-add-error-handling-for-dvb_register_adapter.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 00:39:20 -0400 +Subject: media: tm6000: add error handling for dvb_register_adapter + +From: Zhouyang Jia + +[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ] + +When dvb_register_adapter fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling dvb_register_adapter. + +Signed-off-by: Zhouyang Jia +[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter] +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -275,6 +275,11 @@ static int register_dvb(struct tm6000_co + + ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T", + THIS_MODULE, &dev->udev->dev, adapter_nr); ++ if (ret < 0) { ++ pr_err("tm6000: couldn't register the adapter!\n"); ++ goto err; ++ } ++ + dvb->adapter.priv = dev; + + if (dvb->frontend) { diff --git a/queue-3.18/module-exclude-shn_undef-symbols-from-kallsyms-api.patch b/queue-3.18/module-exclude-shn_undef-symbols-from-kallsyms-api.patch new file mode 100644 index 00000000000..334b0f6a8bf --- /dev/null +++ b/queue-3.18/module-exclude-shn_undef-symbols-from-kallsyms-api.patch @@ -0,0 +1,54 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Jessica Yu +Date: Tue, 5 Jun 2018 10:22:52 +0200 +Subject: module: exclude SHN_UNDEF symbols from kallsyms api + +From: Jessica Yu + +[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ] + +Livepatch modules are special in that we preserve their entire symbol +tables in order to be able to apply relocations after module load. The +unwanted side effect of this is that undefined (SHN_UNDEF) symbols of +livepatch modules are accessible via the kallsyms api and this can +confuse symbol resolution in livepatch (klp_find_object_symbol()) and +cause subtle bugs in livepatch. + +Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols +are usually not available for normal modules anyway as we cut down their +symbol tables to just the core (non-undefined) symbols, so this should +really just affect livepatch modules. Note that this patch doesn't +affect the display of undefined symbols in /proc/kallsyms. + +Reported-by: Josh Poimboeuf +Tested-by: Josh Poimboeuf +Reviewed-by: Josh Poimboeuf +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3592,7 +3592,7 @@ static unsigned long mod_find_symname(st + + for (i = 0; i < kallsyms->num_symtab; i++) + if (strcmp(name, symname(kallsyms, i)) == 0 && +- kallsyms->symtab[i].st_info != 'U') ++ kallsyms->symtab[i].st_shndx != SHN_UNDEF) + return kallsyms->symtab[i].st_value; + return 0; + } +@@ -3636,6 +3636,10 @@ int module_kallsyms_on_each_symbol(int ( + if (mod->state == MODULE_STATE_UNFORMED) + continue; + for (i = 0; i < kallsyms->num_symtab; i++) { ++ ++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) ++ continue; ++ + ret = fn(data, symname(kallsyms, i), + mod, kallsyms->symtab[i].st_value); + if (ret != 0) diff --git a/queue-3.18/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch b/queue-3.18/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch new file mode 100644 index 00000000000..56f5eab8444 --- /dev/null +++ b/queue-3.18/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: "J. Bruce Fields" +Date: Wed, 13 Jun 2018 15:21:35 -0400 +Subject: nfsd: fix corrupted reply to badly ordered compound + +From: "J. Bruce Fields" + +[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ] + +We're encoding a single op in the reply but leaving the number of ops +zero, so the reply makes no sense. + +Somewhat academic as this isn't a case any real client will hit, though +in theory perhaps that could change in a future protocol extension. + +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1347,6 +1347,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs + if (status) { + op = &args->ops[0]; + op->status = status; ++ resp->opcnt = 1; + goto encode_op; + } + diff --git a/queue-3.18/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch b/queue-3.18/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch new file mode 100644 index 00000000000..9daf75147a9 --- /dev/null +++ b/queue-3.18/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Hari Bathini +Date: Thu, 28 Jun 2018 10:49:56 +0530 +Subject: powerpc/kdump: Handle crashkernel memory reservation failure + +From: Hari Bathini + +[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ] + +Memory reservation for crashkernel could fail if there are holes around +kdump kernel offset (128M). Fail gracefully in such cases and print an +error message. + +Signed-off-by: Hari Bathini +Tested-by: David Gibson +Reviewed-by: Dave Young +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/machine_kexec.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -186,7 +186,12 @@ void __init reserve_crashkernel(void) + (unsigned long)(crashk_res.start >> 20), + (unsigned long)(memblock_phys_mem_size() >> 20)); + +- memblock_reserve(crashk_res.start, crash_size); ++ if (!memblock_is_region_memory(crashk_res.start, crash_size) || ++ memblock_reserve(crashk_res.start, crash_size)) { ++ pr_err("Failed to reserve memory for crashkernel!\n"); ++ crashk_res.start = crashk_res.end = 0; ++ return; ++ } + } + + int overlaps_crashkernel(unsigned long start, unsigned long size) diff --git a/queue-3.18/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch b/queue-3.18/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch new file mode 100644 index 00000000000..6c514619620 --- /dev/null +++ b/queue-3.18/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Dan Carpenter +Date: Tue, 5 Jun 2018 14:31:39 +0300 +Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() + +From: Dan Carpenter + +[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ] + +This is a static checker fix, not something I have tested. The issue +is that on the second iteration through the loop, we jump forward by +le32_to_cpu(auth_req->length) bytes. The problem is that if the length +is more than "buflen" then we end up with a negative "buflen". A +negative buflen is type promoted to a high positive value and the loop +continues but it's accessing beyond the end of the buffer. + +I believe the "auth_req->length" comes from the firmware and if the +firmware is malicious or buggy, you're already toasted so the impact of +this bug is probably not very severe. + +Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rndis_wlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -2919,6 +2919,8 @@ static void rndis_wlan_auth_indication(s + + while (buflen >= sizeof(*auth_req)) { + auth_req = (void *)buf; ++ if (buflen < le32_to_cpu(auth_req->length)) ++ return; + type = "unknown"; + flags = le32_to_cpu(auth_req->flags); + pairwise_error = false; diff --git a/queue-3.18/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch b/queue-3.18/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch new file mode 100644 index 00000000000..e8c9493e0c6 --- /dev/null +++ b/queue-3.18/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Vasily Gorbik +Date: Sun, 17 Jun 2018 00:30:43 +0200 +Subject: s390/extmem: fix gcc 8 stringop-overflow warning + +From: Vasily Gorbik + +[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ] + +arch/s390/mm/extmem.c: In function '__segment_load': +arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals +source length [-Wstringop-overflow=] + strncat(seg->res_name, " (DCSS)", 7); + +What gcc complains about here is the misuse of strncat function, which +in this case does not limit a number of bytes taken from "src", so it is +in the end the same as strcat(seg->res_name, " (DCSS)"); + +Keeping in mind that a res_name is 15 bytes, strncat in this case +would overflow the buffer and write 0 into alignment byte between the +fields in the struct. To avoid that increasing res_name size to 16, +and reusing strlcat. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/extmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/mm/extmem.c ++++ b/arch/s390/mm/extmem.c +@@ -80,7 +80,7 @@ struct qin64 { + struct dcss_segment { + struct list_head list; + char dcss_name[8]; +- char res_name[15]; ++ char res_name[16]; + unsigned long start_addr; + unsigned long end; + atomic_t ref_count; +@@ -445,7 +445,7 @@ __segment_load (char *name, int do_nonsh + memcpy(&seg->res_name, seg->dcss_name, 8); + EBCASC(seg->res_name, 8); + seg->res_name[8] = '\0'; +- strncat(seg->res_name, " (DCSS)", 7); ++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name)); + seg->res->name = seg->res_name; + rc = seg->vm_segtype; + if (rc == SEG_TYPE_SC || diff --git a/queue-3.18/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch b/queue-3.18/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch new file mode 100644 index 00000000000..b3f4b9068b6 --- /dev/null +++ b/queue-3.18/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 11:13:00 +0800 +Subject: scsi: bnx2i: add error handling for ioremap_nocache + +From: Zhouyang Jia + +[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ] + +When ioremap_nocache fails, the lack of error-handling code may cause +unexpected results. + +This patch adds error-handling code after calling ioremap_nocache. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Johannes Thumshirn +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/bnx2i/bnx2i_hwi.c ++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c +@@ -2742,6 +2742,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i + BNX2X_DOORBELL_PCI_BAR); + reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF); + ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4); ++ if (!ep->qp.ctx_base) ++ return -ENOMEM; + goto arm_cq; + } + diff --git a/queue-3.18/scsi-ibmvscsi-improve-strings-handling.patch b/queue-3.18/scsi-ibmvscsi-improve-strings-handling.patch new file mode 100644 index 00000000000..f0d0d330158 --- /dev/null +++ b/queue-3.18/scsi-ibmvscsi-improve-strings-handling.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Breno Leitao +Date: Tue, 26 Jun 2018 17:35:16 -0300 +Subject: scsi: ibmvscsi: Improve strings handling + +From: Breno Leitao + +[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ] + +Currently an open firmware property is copied into partition_name variable +without keeping a room for \0. + +Later one, this variable (partition_name), which is 97 bytes long, is +strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is +96 bytes long, possibly truncating it 'again' and removing the \0. + +This patch simply decreases the partition name to 96 and just copy using +strlcpy() which guarantees that the string is \0 terminated. I think there +is no issue if this there is a truncation in this very first copy, i.e, +when the open firmware property is read and copied into the driver for the +very first time; + +This issue also causes the following warning on GCC 8: + + drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation] + ... + inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: + drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation] + +CC: Bart Van Assche +CC: Tyrel Datwyler +Signed-off-by: Breno Leitao +Acked-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R + static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; + static int fast_fail = 1; + static int client_reserve = 1; +-static char partition_name[97] = "UNKNOWN"; ++static char partition_name[96] = "UNKNOWN"; + static unsigned int partition_number = -1; + + static struct scsi_transport_template *ibmvscsi_transport_template; +@@ -261,7 +261,7 @@ static void gather_partition_info(void) + + ppartition_name = of_get_property(rootdn, "ibm,partition-name", NULL); + if (ppartition_name) +- strncpy(partition_name, ppartition_name, ++ strlcpy(partition_name, ppartition_name, + sizeof(partition_name)); + p_number_ptr = of_get_property(rootdn, "ibm,partition-no", NULL); + if (p_number_ptr) diff --git a/queue-3.18/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch b/queue-3.18/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch new file mode 100644 index 00000000000..cf7eaeafd4c --- /dev/null +++ b/queue-3.18/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:53:01 -0700 +Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size + +From: Bart Van Assche + +[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ] + +Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") +Signed-off-by: Bart Van Assche +Reviewed-by: Mike Christie +Cc: Mike Christie +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_tpg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -651,8 +651,7 @@ int iscsit_ta_authentication(struct iscs + none = strstr(buf1, NONE); + if (none) + goto out; +- strncat(buf1, ",", strlen(",")); +- strncat(buf1, NONE, strlen(NONE)); ++ strlcat(buf1, "," NONE, sizeof(buf1)); + if (iscsi_update_param_value(param, buf1) < 0) + return -EINVAL; + } diff --git a/queue-3.18/series b/queue-3.18/series index bb1f088c9b0..70233a22cd4 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -17,3 +17,32 @@ ext4-don-t-mark-mmp-buffer-head-dirty.patch arm64-add-trace_hardirqs_off-annotation-in-ret_to_user.patch hid-sony-update-device-ids.patch hid-sony-support-ds4-dongle.patch +crypto-skcipher-fix-wstringop-truncation-warnings.patch +tsl2550-fix-lux1_input-error-in-low-light.patch +x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch +uwb-hwa-rc-fix-memory-leak-at-probe.patch +usb-serial-kobil_sct-fix-modem-status-error-handling.patch +media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch +powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch +x86-tsc-add-missing-header-to-tsc_msr.c.patch +scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch +scsi-ibmvscsi-improve-strings-handling.patch +usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch +alarmtimer-prevent-overflow-for-relative-nanosleep.patch +s390-extmem-fix-gcc-8-stringop-overflow-warning.patch +alsa-snd-aoa-add-of_node_put-in-error-path.patch +media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch +media-soc_camera-ov772x-correct-setting-of-banding-filter.patch +staging-android-ashmem-fix-mmap-size-validation.patch +drivers-tty-add-error-handling-for-pcmcia_loop_config.patch +media-tm6000-add-error-handling-for-dvb_register_adapter.patch +alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch +rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch +wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch +arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch +hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch +scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch +audit-fix-extended-comparison-of-gid-egid.patch +asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch +module-exclude-shn_undef-symbols-from-kallsyms-api.patch +nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch diff --git a/queue-3.18/staging-android-ashmem-fix-mmap-size-validation.patch b/queue-3.18/staging-android-ashmem-fix-mmap-size-validation.patch new file mode 100644 index 00000000000..f721bcb48aa --- /dev/null +++ b/queue-3.18/staging-android-ashmem-fix-mmap-size-validation.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Alistair Strachan +Date: Tue, 19 Jun 2018 17:57:35 -0700 +Subject: staging: android: ashmem: Fix mmap size validation + +From: Alistair Strachan + +[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ] + +The ashmem driver did not check that the size/offset of the vma passed +to its .mmap() function was not larger than the ashmem object being +mapped. This could cause mmap() to succeed, even though accessing parts +of the mapping would later fail with a segmentation fault. + +Ensure an error is returned by the ashmem_mmap() function if the vma +size is larger than the ashmem object size. This enables safer handling +of the problem in userspace. + +Cc: Todd Kjos +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Cc: kernel-team@android.com +Cc: Joel Fernandes +Signed-off-by: Alistair Strachan +Acked-by: Joel Fernandes (Google) +Reviewed-by: Martijn Coenen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/android/ashmem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -370,6 +370,12 @@ static int ashmem_mmap(struct file *file + goto out; + } + ++ /* requested mapping size larger than object size */ ++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + /* requested protection bits must match our allowed protection mask */ + if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask)) & + calc_vm_prot_bits(PROT_MASK))) { diff --git a/queue-3.18/tsl2550-fix-lux1_input-error-in-low-light.patch b/queue-3.18/tsl2550-fix-lux1_input-error-in-low-light.patch new file mode 100644 index 00000000000..8dc865475c5 --- /dev/null +++ b/queue-3.18/tsl2550-fix-lux1_input-error-in-low-light.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Matt Ranostay +Date: Fri, 8 Jun 2018 23:58:15 -0700 +Subject: tsl2550: fix lux1_input error in low light + +From: Matt Ranostay + +[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ] + +ADC channel 0 photodiode detects both infrared + visible light, +but ADC channel 1 just detects infrared. However, the latter is a bit +more sensitive in that range so complete darkness or low light causes +a error condition in which the chan0 - chan1 is negative that +results in a -EAGAIN. + +This patch changes the resulting lux1_input sysfs attribute message from +"Resource temporarily unavailable" to a user-grokable lux value of 0. + +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Signed-off-by: Matt Ranostay +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/tsl2550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/tsl2550.c ++++ b/drivers/misc/tsl2550.c +@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0, + } else + lux = 0; + else +- return -EAGAIN; ++ return 0; + + /* LUX range check */ + return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux; diff --git a/queue-3.18/usb-serial-kobil_sct-fix-modem-status-error-handling.patch b/queue-3.18/usb-serial-kobil_sct-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..10cf67a7d64 --- /dev/null +++ b/queue-3.18/usb-serial-kobil_sct-fix-modem-status-error-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Johan Hovold +Date: Wed, 4 Jul 2018 17:02:18 +0200 +Subject: USB: serial: kobil_sct: fix modem-status error handling + +From: Johan Hovold + +[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ] + +Make sure to return -EIO in case of a short modem-status read request. + +While at it, split the debug message to not include the (zeroed) +transfer-buffer content in case of errors. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kobil_sct.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -396,12 +396,20 @@ static int kobil_tiocmget(struct tty_str + transfer_buffer_length, + KOBIL_TIMEOUT); + +- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n", +- __func__, result, transfer_buffer[0]); ++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n", ++ result); ++ if (result < 1) { ++ if (result >= 0) ++ result = -EIO; ++ goto out_free; ++ } ++ ++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]); + + result = 0; + if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0) + result = TIOCM_DSR; ++out_free: + kfree(transfer_buffer); + return result; + } diff --git a/queue-3.18/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch b/queue-3.18/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch new file mode 100644 index 00000000000..768eb2ea286 --- /dev/null +++ b/queue-3.18/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Julia Lawall +Date: Sun, 1 Jul 2018 19:32:04 +0200 +Subject: usb: wusbcore: security: cast sizeof to int for comparison + +From: Julia Lawall + +[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ] + +Comparing an int to a size, which is unsigned, causes the int to become +unsigned, giving the wrong result. usb_get_descriptor can return a +negative error code. + +A simplified version of the semantic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@@ +int x; +expression e,e1; +identifier f; +@@ + +*x = f(...); +... when != x = e1 + when != if (x < 0 || ...) { ... return ...; } +*x < sizeof(e) +// + +Signed-off-by: Julia Lawall +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/wusbcore/security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/wusbcore/security.c ++++ b/drivers/usb/wusbcore/security.c +@@ -230,7 +230,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb + + result = usb_get_descriptor(usb_dev, USB_DT_SECURITY, + 0, secd, sizeof(*secd)); +- if (result < sizeof(*secd)) { ++ if (result < (int)sizeof(*secd)) { + dev_err(dev, "Can't read security descriptor or " + "not enough data: %d\n", result); + goto out; diff --git a/queue-3.18/uwb-hwa-rc-fix-memory-leak-at-probe.patch b/queue-3.18/uwb-hwa-rc-fix-memory-leak-at-probe.patch new file mode 100644 index 00000000000..3bb29d08aff --- /dev/null +++ b/queue-3.18/uwb-hwa-rc-fix-memory-leak-at-probe.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Anton Vasilyev +Date: Fri, 6 Jul 2018 15:32:53 +0300 +Subject: uwb: hwa-rc: fix memory leak at probe + +From: Anton Vasilyev + +[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ] + +hwarc_probe() allocates memory for hwarc, but does not free it +if uwb_rc_add() or hwarc_get_version() fail. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uwb/hwa-rc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -875,6 +875,7 @@ error_get_version: + error_rc_add: + usb_put_intf(iface); + usb_put_dev(hwarc->usb_dev); ++ kfree(hwarc); + error_alloc: + uwb_rc_put(uwb_rc); + error_rc_alloc: diff --git a/queue-3.18/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch b/queue-3.18/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch new file mode 100644 index 00000000000..697732cd0f3 --- /dev/null +++ b/queue-3.18/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Tony Lindgren +Date: Tue, 19 Jun 2018 02:43:35 -0700 +Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() + +From: Tony Lindgren + +[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ] + +Otherwise we can get: + +WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84 + +I've only seen this few times with the runtime PM patches enabled +so this one is probably not needed before that. This seems to +work currently based on the current PM implementation timer. Let's +apply this separately though in case others are hitting this issue. + +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/ti/wlcore/cmd.c ++++ b/drivers/net/wireless/ti/wlcore/cmd.c +@@ -35,6 +35,7 @@ + #include "wl12xx_80211.h" + #include "cmd.h" + #include "event.h" ++#include "ps.h" + #include "tx.h" + #include "hw_ops.h" + +@@ -187,6 +188,10 @@ int wlcore_cmd_wait_for_event_or_timeout + + timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT); + ++ ret = wl1271_ps_elp_wakeup(wl); ++ if (ret < 0) ++ return ret; ++ + do { + if (time_after(jiffies, timeout_time)) { + wl1271_debug(DEBUG_CMD, "timeout waiting for event %d", +@@ -218,6 +223,7 @@ int wlcore_cmd_wait_for_event_or_timeout + } while (!event); + + out: ++ wl1271_ps_elp_sleep(wl); + kfree(events_vector); + return ret; + } diff --git a/queue-3.18/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch b/queue-3.18/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch new file mode 100644 index 00000000000..5d1bb030eaa --- /dev/null +++ b/queue-3.18/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Dan Williams +Date: Fri, 6 Jul 2018 09:08:01 -0700 +Subject: x86/numa_emulation: Fix emulated-to-physical node mapping + +From: Dan Williams + +[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ] + +Without this change the distance table calculation for emulated nodes +may use the wrong numa node and report an incorrect distance. + +Signed-off-by: Dan Williams +Cc: David Rientjes +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Wei Yang +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/numa_emulation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/numa_emulation.c ++++ b/arch/x86/mm/numa_emulation.c +@@ -60,7 +60,7 @@ static int __init emu_setup_memblk(struc + eb->nid = nid; + + if (emu_nid_to_phys[nid] == NUMA_NO_NODE) +- emu_nid_to_phys[nid] = nid; ++ emu_nid_to_phys[nid] = pb->nid; + + pb->start += size; + if (pb->start >= pb->end) { diff --git a/queue-3.18/x86-tsc-add-missing-header-to-tsc_msr.c.patch b/queue-3.18/x86-tsc-add-missing-header-to-tsc_msr.c.patch new file mode 100644 index 00000000000..55e333091be --- /dev/null +++ b/queue-3.18/x86-tsc-add-missing-header-to-tsc_msr.c.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:32:11 PDT 2018 +From: Andy Shevchenko +Date: Fri, 29 Jun 2018 22:31:10 +0300 +Subject: x86/tsc: Add missing header to tsc_msr.c + +From: Andy Shevchenko + +[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ] + +Add a missing header otherwise compiler warns about missed prototype: + +CC arch/x86/kernel/tsc_msr.o +arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes] + unsigned long cpu_khz_from_msr(void) + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Pavel Tatashin +Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc_msr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/tsc_msr.c ++++ b/arch/x86/kernel/tsc_msr.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + /* CPU reference clock frequency: in KHz */ + #define FREQ_83 83200